Don't say you weren't warned: Miele went full Internet-of-Things with a network-connected dishwasher, gave it a web server, and now finds itself on the wrong end of a security bug report – and it's accused of ignoring the warning.
The utterly predictable vulnerability advisory on the Full Disclosure mailing list details CVE- …

If so-called tech companies give up on patching a smartphone after 3 - 6 months in many cases, what chance does an IoT white good have in 10 to 20 years?

In most cases, there just isn't any benefit to having white goods attached to the internet. What is it supposed to tell me? I can't start it until I have manually filled it up and it already turns itself off, when it is finished.

Mine has a little light for salt and another for clear rinse, which light up when they need refilling... I just don't see the need for these things.

its obviously on the dirty network

and just as bad as all the connected cars - I have to pay £90 to just to update maps on mine let alone all the other crud/bloat attempting to become a subscription to tat service I already have perfectly well delivered on my phone for no extra charge.

Re: its obviously on the dirty network

and just as bad as all the connected cars - I have to pay £90 to just to update maps on mine

We're straying off topic, but yeah, mine too. I laughed at them on the phone when they tried to tell me that price. I would say it's a racket, and it would be if they actually got anyone paying for these updates. But why would you do that when you can buy a new TomTom or Garmin for half that price, including updates, and with a better user interface.

So not a racket; maybe just plain stupidity? If they're trying to sell the updates as a product, then they've clearly missed that lesson in high-school economics about supply and demand -- if they cut the price to £25, it's a pretty good bet they'd get more than four times as many sales. It's obvious really, so why do they price it so high?

So not a racket and not stupidity. It's actually planned obsolescence. They don't want people to update the maps because they want them to go out of date. Because that will make the whole car feel more dated, which will prompt us to replace the car with a new one sooner than we might have done otherwise.

Re: its obviously on the dirty network

Actually, they are milking the used car market. At least that is the reason I suspect for the higher end cars from volume manufacturers / the entire fleet from premium manufacturers.

Most people who get to buy a brand new car and spec it to their needs automatically receive a "all-inclusive" deal for Telemetrics and Updates for 3-5 years. That is the deal for BMW and Mercedes, I would assume similar deals for other brands.

The folks who can afford to buy those brandnew will evntually, usually well within the free period, move on to a different brand car or a newer model, releasing the car to the used car market. And that is why this racket will keep working. Corporate does not care about a second hand owner, because they regularly do not earn any money with him. Second hand owner might shell out the cash for a update grudgingly, but will surely take oil changes and repairs or tire changes to the bloke round the corner. The only person to be taken seriously when bitching about this is first hand buyer, and he never noticed the racket due to his free period.

It appears the scope of this ought to be extended considerably, provided it can be done responsibly (the use inferior or even unsuitable materials can create a non-trivial risk). I always found the high cost of on-board GPS a bit artificial anyway, making updates cost so much strikes me as doubling the abuse.

Not everything containing electronics is made by Apple. Miele is not trying to peddle you a new washing machine every year when the last model is out. They might suck at webservers, the rest of the hardware is still good.

Re: its obviously on the dirty network

The article is indeed along similar lines, at least in terms of manufacturer strategy, although the deal with farm machinery is different - a purchase like that usually remains in use longer than passenger vehicles, and they don't change hands like used cars do.

And yes, the same tricks are deployed by some car brands, and it is not even about cheap unsafe knock-off parts. There are ways to actually block minor, simple repairs / maintenance. Examples: BMW requires new batteries to be "learned" into the system after replacement, after an oil change the "nag counter" has to be reset etc. If access there is blocked your car might be just fine but keeps nagging you. Worse than that is automatic parking brake setting on some brands which can make replacing brake rotors / pads a pain, a dealership will just hook up their diagnostic tool and tell it to release the parking brake.

This is not a safety "feature" but an attempt to lock people into the dealership rates, with ridiculous parts markups and hourly rates. Thankfully, for most of these nuisances the aftermarket quickly finds workarounds or hacks because demand is high.

big_D: "In most cases, there just isn't any benefit to having white goods attached to the internet. What is it supposed to tell me? I can't start it until I have manually filled it up and it already turns itself off, when it is finished."

... You appear to be looking for something that would be a benefit to you. Please make no mistake, in a lot of cases IoT is not about consumer benefit, it's about them:

- Making it stand out in the store -- It has to have a bigger LCD panel than the competitors model and some bright animation playing on it to draw you in - things that are actually no benefit to you, but higher numbers and larger sizes sell even when they are not relevant. I imagine that once more than half of dishwashers have a screen on them, there will even be some poor folk who will not consider buying one without a screen, even if they don't know why.

- Letting them know how you use it -- They need to know when the salt is low, whether you skip putting rinse aid in, when it's due for a service etc. They can even kindly let you know after 11 months that you in fact bought the wrong model because you do two washes per day and as it happens they have made a newer model with a quicker wash cycle. How great would it be to have a d/w less than a year old displaying an advert for the d/w it wishes it was. And you can bet all those variables will be added into warranty contract so it's easier for them to say it's your fault the d/w broke because you used Aldi rinse aid, didn't top up the salt, and you should have bought the model which was fit for your usage case.

The possibility that it might be some use to you during your period of ownership is the last thing they think about.

Can't find the IP Address of my pitchfork

Maytag does

Our trusty stacking Maytag washer/dryer finally bit the dust after 17 years. Imported from the USA and sadly no longer made, so I had to settle for a Bosch that takes twice and long and doesn't dry the damn clothes properly. Let's see if these get to 7 years, let alone 17.

Re: Can't find the IP Address of my pitchfork

If it wasn't for a general dropping trend in burglary rates, then such unprotected devices would be very useful when casing houses, just by peeking at their usage. Script kiddie skill only.

Assume a dishwasher runs once every 1-2 days. A house in summer time with more than a week since the last load is likely empty. Add that police, logically enough, typicallly don't prioritize responding to burglar alarms and you have 15-20 minutes to loot.

Non-obsolescence

Re: Maytag does

I had to settle for a Bosch that takes twice and long and doesn't dry the damn clothes properly

IME, Bosch (or rather BSH) machines are far, far better at washing than the Victorian junk peddled by Maytag. On the matter of drying, they certainly will stop you before you can bake every milligram of water from the clothing. But baking your clothes old style simply means they re-asorb water from the atmosphere the moment they comes out of the machine (as well as being irretrievably creased).

"you really think modern white goods are made to last 10-20 years?"

Yes, I do. In fact I'd say the design was defective if it didn't last at least 10 years.

I *thought* our 8 year old dishwasher had died a few weeks ago when it decided to wet the kitchen floor. After getting out a screwdriver and spending an hour digging around, I managed to establish that the tube leading to the pressure switch that detects the water level was clogged up with gunk. 15 minutes later, I'd cleaned the part and the dishwasher was fully functional again.

Saying that, like most things nowadays, the dishwasher was designed to a size envelope, not for repairability, so the job *could* have been easier, at the expense of the dishwasher not fitting into a standard sized hole.

Re: you can buy a new TomTom or Garmin for half that price

Whirlpool Hobart been in the house since 1978 . Never failed once yet ... Norge fridge dated 1949 also still on the job. They made em to last a lifetime indeed and agreed Miele is doing great quality ,imho , professional stuff , the network plug is one too many.

Please make no mistake, in a lot of cases IoT is not about consumer benefit, it's about them:

If "they" build a spectrometer into the unit, they can analyse the food you are eating and propose healthy options (while secretly procuring a life insurance on you before grassing you up to the insurers).

If you use your machine for washing laboratory glassware, they can see what you are working on and front-run your patents - or narc on you.

Add that police, logically enough, typicallly don't prioritize responding to burglar alarms and you have 15-20 minutes to loot.

Even worse.. How many routers damn near automatically trust any access to their config system from inside the local network? These days, how many people are hooking their alarm and camera systems up to said router?

Oh, and there's those nice doorlocks that talk to your phone via bluetooth or the local WiFi (if you're close enough to be on your local net, you're close enough for the door to be unlocked), and other ones that use NFC/RFID.. All of which are configured by a HTML/JS-based app on the device's internal webserver, which of course talks to anything in the localnet IP range...

If you can run arbitrary code on a device linked to the local lan, it's feasible now in a lot of homes that you can take over the security of the home. And heating and other devices as well. Why, you could totally piss the owners off by starting their web-enabled at a time other than when they specified!

Bewildered. (That's grown-up speak for "wtf")

Before I get too many downvotes, I do have tongue more or less in cheek on the title - but what follows is 100% serious.

Until we have self loading dishwashers, how can they need internet access? We don't run them til they're loaded. Humans load them. Once they're full, we set them off. If we don't want them to clean the dishes straight away, they have a "delay" feature so we can run them when the Economy7 has kicked in/while the sun's up and our solar panels are providing the juice.

Us humans put the salt, tablets & rinse-aid in. Needing internet access to order more rinse-aid etc when it's running low is (until the manufacturers can be trusted with anything sharper than a crayon or warmer than a cushion) a decidedly sub-optimal path.

So why on earth do we need internet enabled dishwashers? "Because we can" is a valid human argument for scaling Everest (for those humans so inclined/capable) but letting household appliances loose on the internet "because we can" (rather than "because we need to") is lazy, foolish & pointless.

Re: Bewildered. (That's grown-up speak for "wtf")

To misquote Edmond Hillary, They are connected to the internet because it (the internet) is there.

They can, um, ping your iphone when the dishes are done. Let you check that the kids have run the dishwasher from work. Keep statistics about powder usage. Disable the machine if it is found to be used by terrorists. The possibilities are only limited by your imagination...

The next dishwasher that I buy will certainly be connected to the Internet of Things ... because I won't have any choice.

Re: Bewildered. (That's grown-up speak for "wtf")

"Before I get too many downvotes," - nope, you get a UV for a well reasoned argument. I suspect product design went a bit like this:

We can bolt internets onto our usual model, markup £200 retail for <sticks finger in the air> £13.56 RnD plus parts per unit. No let's skip the R bit and throw in most of a cheap IP camera's guts without the CCD etc. Fiddle with the web UI and profit. App n stuff. Internets - great.

I don't own a washing machine with an IP stack. I already have a THINGS VLAN and a SEWER VLAN for devices that scare me more ('leccy readers eg) than stuff I put on THINGS. This will need yet another VLAN for stuff I wouldn't even put on SEWER.

What the hell do I call that? How about AIRGAP? It would certainly have Security Onion looking at it sternly. My home network is probably not your average but I sometimes wish it was.

Re: Bewildered. (That's grown-up speak for "wtf")

We get internet connected dishwashers because Miele think there are idiots out there who would choose their model over one without an internet connection, and that fewer people will refuse to buy it for the same reason.

In that sense I think Miele are entirely correct in their assumptions. If we (in the widest sense) are living in hell, it's one we made...

Re: Bewildered. (That's grown-up speak for "wtf")

Have an upvote. I am not convinced a self loading dishwasher would need an Internet connection. It could be programed to load and if full run at time ex. My coffee maker has a feature to auto brew at a preset time. We are not talking rocket science.

Re: Bewildered. (That's grown-up speak for "wtf")

Provided I can disassemble it and use wirecutters on the interface before it can send out a distress call then I win. Always assuming there isn't some sort of deaddishwasher's switch.

I only have one IoT thing on the property and that's squirrelled away on its own subnet so in theory it can talk to the rest of the world but not my local network. Given how crap the associated cloud-based website is (slower than a glacier), I'm sorely tempted to see if I can reverse-engineer the protocol and hack it to talk only to something under my control.

Re: Bewildered. (That's grown-up speak for "wtf")

With a decent firewall, you could also apply a rule to ensure that the SEWER VLAN is blocked from communicating with the Internet and blocked from communicating with the local network. Problem solved.

Luckily, we don't have smart meters here, yet. But if they do, they won't be joining our home network, without a written TOS which includes information about timely update policy and a guarantee for compensation in the case that their device attacks my network. If they want it to phone home, they can pay for their own damned connection!

Re: Bewildered. (That's grown-up speak for "wtf")

I see what you did there. You said 'iPhone' and obviously meant 'Hipster' as frankly the only people who would buy this POS and then connect it to the internet are those with more money than sense a.k.a. Apple customers.

Then the bit about the kids. Loved it.

My kids are on the other side of the planet. Perhaps I should connect my DW up so that they can check on their GOM and that he is ok? (GOM== Grumpy Old Man)....

Sorry no. While I am an Apple customer (I have a secondhand iPhone) I would never buy AND connect something like this up to the internet in a million, no make that a gazillion years.

Re: Bewildered. (That's grown-up speak for "wtf")

"So why on earth do we need internet enabled dishwashers?"

I can think of one reason: Simpler UI.

The delay feature on my appliances leaves a lot to be desired. I am only interested in what time it will finish, not when it will start. "Done by 7am" is what I want. But I am sure there are others who are more interested in the start time... That means a heckuva lot of buttons, or a big LCD right there on the appliance... Or.... How about a web based UI that you can use from your favorite pad?

But even so, I have to concede that the extra complexity is just not worth it.

Re: Bewildered. (That's grown-up speak for "wtf")

Presumably if you had a dishwasher with a clock, the "finish by" time could be set in a similar way as the "start time" delay, by holding down one button and repeatedly pressing another. That's if you really are unable to calculate a delay time - 1.5 or 2 hours or however long the washing cycle is - at least a couple of hours more for the warm air to dry them.

Then again, this kind of feature is aimed at people who cannot set clocks on kitchen appliances and probably have UPnP on their routers and will never run a security update in their life unless their computer or phone bludgeons them into it (note all the missing devices from that list), so it's all going to end in tears anyway.

Re: Bewildered. (That's grown-up speak for "wtf")

Re: Bewildered. (That's grown-up speak for "wtf")

But a really good self-loading dishwasher would be neat! Of course it would need a droid extension that wanders around the house picking up dirty coffee cups and plates, in which case it WOULD need internet access so that it could message you to ask 'have you finished with this half-eaten pork pie?'

Re: Bewildered. (That's grown-up speak for "wtf")

But, for a mere £2,000+, you too can have one of these marvellous devices which give you the benefit of this marvellous marketing blurb:

"With the MobileControl function you can keep an eye on your Miele appliance, even when you're not at home - via smart-phone or tablet PC. Not only can you access the programme status, you can also conveniently select and start programmes regardless of location using your mobile terminal device. Simply download the Miele@mobile app and connect the device to Miele@home. When you return home, your Miele appliance has already finished its work. "

Re: Bewildered. (That's grown-up speak for "wtf")

"The next dishwasher that I buy will certainly be connected to the Internet of Things ... because I won't have any choice."

Like vinyl records - there will come a time when some people will want their white goods to be "old school". As the IoT will only be a controller function then - like a car's ECU - a business will exist to tweak its function.

That will then be made illegal for reasons of safety - and because the government wants electricity suppliers to be able to control your white goods devices.

Globalisation will mean that every mechanical part will come from the same source - and only the final branding and cosmetics will be different.